Sextortion Scam With Leaked Passwords Succeeds

Following the forum post on sextortion emails being spammed to innocent victims, we were curious to see if this scam would indeed be successful. We have observed similar scam campaigns before, but now the scammers seem to include the victim’s password as well, creating a sense of legitimacy. During our analysis we observed 3 payments to the Bitcoin addresses used by the extortionists, as such, it seems innocent victims fell for this scam and paid the ransom.

Using the following YARA rule, we identified 11 files uploaded to VirusTotal, resulting in 9 unique extortion emails.

A typical extortion email for this campaign looks like this, notice the opening paragraph with the password (hidden by us):

The subject of the email is the local-part of the victim’s email address (the part before @) followed by the victim’s leaked password. We were able to retrieve this password (together with the corresponding email address) from leaked password databases.

It looks like this new social engineering trick of including some secret (albeit old) information in a sextortion email can be successful: out of the 8 different Bitcoin addresses we extracted from 9 different emails, 3 Bitcoin addresses received Bitcoins during the last days for amounts varying between $1900 and $3900 (the ransom demands we observed in the emails are $1900, $2900 and $3900).

Of course, we can not be sure that the ransom was indeed paid by the victims and not by somebody else, but these specific amounts do indicate that there could be a relationship to the extortion mails. To protect the victims, we are not publishing any IOCs that could lead to their identification.

About the authorsDidier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.